The GhostNet Buster

April 27, 2009

Ottawa's Rafal Rohozinski helped uncover an
international espionage plot that has infected
computers in high-ranking offices around the
world. Now the sought-after expert is warning the
world about the cyber wars to come
By Vito Pilieci,
The Ottawa Citizen
April 25, 2009

'We have a lot of big stuff going on,' Rafal
Rohozinski says of his team's work. The Ottawa
computer consultant and his colleagues uncovered
GhostNet, a network of 1,300 computers infected
by a worm that allows hackers to gain control of the machines.

'We have a lot of big stuff going on,' Rafal
Rohozinski says of his team's work. The Ottawa
computer consultant and his colleagues uncovered
GhostNet, a network of 1,300 computers infected
by a worm that allows hackers to gain control of the machines.
Photograph by: Julie Oliver, The Ottawa Citizen, The Ottawa Citizen

OTTAWA -- In recent days, Rafal Rohozinski has
found international law enforcement officials and
high-tech security experts keen to pick his brain.

The 43-year-old chief executive of the SecDev
Group, an Ottawa-based computer consultancy, has
been jetting to jangle the alarms about the next big thing in cyber-espionage.

He's become a go-to guy ever since he and his
colleagues in Canada and abroad revealed the
GhostNet, a covert network of more than 1,300
compromised computers worldwide in foreign
affairs ministries, embassies, news media and
international organizations, including the offices of the Dalai Lama.

The hackers, linked to servers in China, gained
total control of the infected machines. They
could download files and even activate microphones and web cameras.

Thanks to the GhostNet probe, which also included
investigators at the University of Toronto's
Citizen Lab, Rohozinski has been making quick
converts to the proposition that what happened is
nothing less than the way in which war will increasingly be waged.

With communications, commerce and even military
defence dependent on the Internet, a cyber war
could in many ways be far more damaging than a
ground- or air-based military confrontation.

Rohozinski believes cyber warfare needs rules and
should be talked about openly, as is nuclear
warfare or acceptable battlefield practices.

"If the current paradigm of information security
is broken, what replaces it?" he said.

"This is such a good case study."

In early September last year, Rohozinski asked
his associate, Shishir Nagaraja, to travel
halfway around the world from his Cambridge,
England, office to Dharamsala, India, to probe a
mysterious and troubling computer problem.

At the office of the Dalai Lama, the spiritual
leader's aides, dressed in colourful robes,
greeted his arrival. But niceties were set aside
quickly. Nagaraja, a computer networking expert,
and his colleague, Greg Walton, a London-based
Internet security expert who had worked
previously with the Tibetan government-in-exile,
were quickly guided through three levels of
perimeter security before they found themselves
in front of a specific computer, designated for their use.

Nagaraja and Walton went to work, tracking
evidence that pointed to a possible computer
worm. Although they were trying to investigate
the Dalai Lama's computer system, their access
was limited to a single machine on which they had
to hope to catch the worm doing something
suspicious. It was a bit like trying to catch a
burglar in someone's house by peeking through a bathroom window.

But with some sweet talking from Nagaraja -- "I
am a 'local,'" he explains. "I can speak the
language and chat people up and they let their
guard down" -- they got the approval to run a
program called WireShark on the network. The
commercial program analysed traffic coming and
going from the Dalai Lama's computers without
seeing any documents on the system. Instead of
just peeking through the bathroom window,
WireShark would allow the pair to catch the thief
by monitoring all of the exits in the house.

For three 14-hour days, Nagaraja sat with two
guards over his shoulder as he analysed hundreds
of lines of computer code that was popping up
like a chat session before his eyes. But his
efforts were being hampered by the two watchmen.
He logged the code for later study.

"I like to work alone. I like to sit in one place
and think and work, but I couldn't," he says.
"These guys were behind me and on top of that
they were asking me questions. I was really
tired. I was just like, 'Can't you stop asking me all of this trivial stuff'?"

Then he saw it.

He watched as a hacker instructed some malicious
code on the network to pull a specific file from
a computer in the Dalai Lama offices.

"We knew there was malware (a worm), but we had
no idea what it could do or what it was actually doing," says Nagaraja.

He confronted his hosts. Initially hesitant to
discuss the file, they revealed after some
prodding that it contained classified information
about building contracts for schools in Tibet.

After five days of investigating, the consultants
found that the worm spread by attaching itself to
Microsoft Word documents or Adobe Acrobat PDF
files. In so doing, it was able to spread to
nearly every computer in the Dalai Lama's offices.

The pair dubbed the worm Ghost-Rat (and later,
when the worm's scope was gleaned, would call its
larger network GhostNet). Not only did the pair
catch GhostRat in action, they also managed to
isolate the program so they knew what they were looking for.

Walton contacted Rohozinski in Ottawa to report
the findings. They agreed the consultants should
return to Britain, where the captured data could
be further analysed. Rohozinski asked Walton to keep him updated.

Walton soon figured out Ghost-Rat's remarkable
range of abilities. It can control a computer's
webcam, turning it on to record the conversations
or interactions within a room. It can log a
computer's keystrokes, take screen grabs of what
users are looking at on their monitor, steal
files based on key words and even allow its
creators to take control of an infected computer from a remote location.

Whoever is pulling the strings behind GhostRat is
using the network to steal specific information.
This makes it different from most widespread
viruses and worms on the Internet, which can copy
large amounts of information in hopes of
capturing something important. GhostRat hones in
on documents looking for keywords and phrases,
then quietly sends copies of those documents to its handlers.

Rohozinski wanted to be informed immediately if
GhostRat became more active in Dharamsala, or,
indeed, if it was found elsewhere. But he made a
rule that investigators would have to follow for
the remainder of their investigation: No
information pertinent to the investigation was to be sent over the Internet.

He wouldn't dare risk tipping his team's hand to
the cyber-spies behind the worm.

- - -

Rohozinski and teammates didn't want to just
identify GhostRat. They wanted to identify the
perpetrators and, assuming other computers were
compromised, measure the scope of their spying.

Data that Walton and Nagaraja collected showed
links to other computers in pro-Tibetan
government organizations around the world. Walton
would have to investigate. In October, he found
GhostRat in the London, England offices of the
Tibetan government-in-exile and the cyber-plot
thickened. With the infection no longer isolated
to India, Rohozinski became very interested.

He was already slated to travel from Ottawa to
speak at a conference about Internet governance
in Hyderabad, India, in early December. He asked
Walton to meet him there for a briefing. While in
India, Rohozinski interviewed computer security
staff from the Tibetan government-in-exile to
talk about what his team had found.

In late February this year, Rohozinski asked
Walton to travel to Toronto and bring the data he
had collected. The data went to Rohozinski's
colleague, Ron Deibert and his team at the
Citizen Lab in the Munk Centre for International
Studies at the University of Toronto.

More clues about GhostRat's spread were found
early last month when Walton scoured Tibetan
offices in New York City. "We had lots of data.
Tons of data," said Rohozinski. Those files were
also brought to Toronto where, in Deibert's team,
international relations PhD student and computer
security expert Nart Villeneuve was primarily responsible for its dissection.

Villeneuve was no stranger to big projects. In
October, the 34-year-old had helped to expose a
huge surveillance system in China that monitors
the archives and Internet-based text chat
sessions sent by users of a program called Tom-Skype.

After days of processing the data, Villeneuve had
made little headway. Even with the most advanced
technology, tracking the GhostNet was proving difficult.

Fortunately, he was able to tap a resource that
every Net surfer in the world has used or heard of -- Google.

- - -

On March 6, Villeneuve was getting frustrated. He
had pared back much of the data to a list of websites but had no leads.

However, something strange stuck out.

"One of them looked really funny to me and I
still really don't know why," he said. "It was a really long URL."

The URL, a website address, was more than 22
characters long, far longer than anything else
Villeneuve had dug up. Still stumped after using
the highest technology available to track the
GhostNet, it occurred to him that perhaps some
everyday technology might assist.

He entered the characters into Google.

"A control server came back," he said. "Something
matched this 22-character, fairly unique string
of text. I was able to start identifying the network."

Google led Villeneuve to a control server in the
U.S., where the stolen information was being
dumped. Using that data he found three more
servers. These were located in China.

Villeneuve's day got even better. Either through
incompetence or cockiness, the people behind the
GhostNet had not put a password on the servers.

Rohozinski and his team were able to access the
four control servers, then thumb through the
information of thousands of infected machines
that were sending confidential files and data.

The control servers contained a list of every
computer infected with GhostRat, an interface to
issue commands to those computers and a checklist
to instruct GhostNet operators about which
commands are pending and which have been completed.

The team then infected one of its own computers
with GhostRat and watched as the hackers snooped
around. The information they collected led to the
discovery of two more control servers, bringing
the total to six. Five were in China.

Infected machines were identified at the Asian
Development Bank in the Philippines, the offices
of the Associated Press in Britain, the Embassy
of Germany in Australia, the Embassy of India in
the U.S. and offices of Deloitte & Touche in New
York City. They even found an infected computer
at the North Atlantic Treaty Organization's
Supreme Headquarters Allied Powers Europe headquarters in Belgium.

The team immediately called the Canadian
government to share information through the
Canadian Cyber Incident Response Centre -- the
Ottawa-based federal agency responsible for
co-ordinating a national response to any
cyber-security threat. The centre began to notify infected parties.

GhostNet's ranks continue to swell. It is up to
more than 1,300 computers. In recent days,
Israel's embassy in Hong Kong was added to the
"infected" list. About a dozen Canadian computers have been identified, too.

- - -

Rohozinski, 43, has been a computer security
specialist for more than 17 years, working on
cyber espionage and hacker-related investigations
in more than 37 countries. He is no stranger to
hostile environments. In 2006, he was an embedded
chief technical adviser to the Palestinian Authority.

His company, SecDev, collaborates with Deibert's
group, the Citizen Lab, and the University of
Cambridge's Computer Security Program in a
project called the Information Warfare Monitor.

Rohozinski won't openly discuss many of InfoWar
Monitor's accomplishments because the information
is classified. However, the GhostNet probe
provided him an opportunity to at last speak out
and present an unclassified report. Tracking
GhostNet: Investigating a Cyber Espionage Network
is available for all to download on the Internet.

Still, with the report written, the story of
GhostNet isn't complete and the probe continues.
Who exactly is behind GhostNet remains unknown.
Despite the number of control servers in China
and the information targeted by attackers, no
smoking gun points definitively to the Chinese government.

China has blasted Rohozinski's report as nothing
more than an elaborate fairy tale. In a
statement, China's foreign ministry spokesman Qin
Gang said: "Some people overseas are indulged in
fabricating the sheer lies of the so-called
cyber-spies in China. Their attempt to defame China will get nowhere."

Rohozinski quickly brushed off the statements by the Chinese.

"Fine. Then investigate," he said. "There are 50
DSL (Internet) accounts being used. There is
enough for someone from government to look at."

Meanwhile, InfoWar Monitor is already on the
trail of another network of computers in a
Southeast Asian country that has been used to
attack opposition and media websites. The
investigators are also tracking activity in the
Internet's criminal underground throughout Central Asia and Russia.

Rohozinski was in Germany this week, meeting with
members from the Russian National Security
Council to discuss GhostNet and other cyber-security issues.

"We have a lot of big stuff going on," he said.

"This (the GhostNet probe) just seems to capture
the popular imagination in the way other stories haven't."

All this is happening at a time when politicians
are turning their attention to cyber-security
issues. Recent network intrusions by cyber-spies
have seen the electrical grid in the U.S. and
Canada mapped out and malicious software packages
left behind to damage or shut down parts of North
America's energy supply. Another security breach
at the U.S. Department of Defence, reported
earlier this week, saw plans for the $300 billion
U.S. Joint Strike Fighter project stolen.

U.S. president Barack Obama has made cyber
security a priority issue for his administration.
Last week the Department of Homeland Security put
out job want ads for hackers to keep a constant
watch over U.S. government networks and help protect them in case of an attack.

In addition to the hackers being sought by
Homeland Security, the U.S. Department of Defense
plans to triple the number of cyber security
experts that it trains on a yearly basis,
bringing the number annually trained from 80 to more than 250 by the year 2011.